Simple Customer Relationship Management System v1.0 was discovered to contain a SQL injection vulnerability via the name parameter under the Request a Quote function.

Submitted by oretnom23 on Tuesday, November 29, 2022 - 15:00.

This project is entitled **Simple Customer Relationship Management (CRM) System**. It is a web-based application that was developed using **PHP** and **MySQL Database**. It provides certain business customers with an online platform where they can submit quotation requests and issue tickets. It has a pleasant user interface using the **Bootstrap Framework**. This project is consist of user-friendly features and functionalities.

****How does the Simple Customer Relationship Management (CRM) System work?****

This **Simple Customer Relationship Management (CRM) System** can be accessed by 2 different user roles which are the **Administrator** and the **Customers**. The **Administrator** can access the admin panel of the system while the **Customer** has access to the customer side of the application.

The **Administrator** user is the one who is in charge of managing the important data on the system. This side of the system requires the **Admin User** to log in with his/her valid system credentials in order to access and manage the system on the admin side. Here, the administrator is able to read and manage the **quotation requests of the customers** and the same as well on the **created or issued tickets** of the customers. Aside from that, the admin can also list the registered customers' accounts.

The **Customers** are required to signup and log in to the system in order to gain access to the different features and functionalities on the **Customer Side**. They submit **quotation requests** and **tickets**. The customer can only access and manage the list of quotation requests and tickets that he or she submitted.

****Features and Functionalities****

Here are the different features and functionalities of the **Simple Customer Relationship Management (CRM) System**

****Admin Site****

*   **Login and Logout**
*   **Dashboard**
    *   Data Summary
    *   Visitors Graph
*   **List and Manage Tickets**
*   **List and Manage Customers' Quotation Requests**
*   **List All Users' Access Logs**
*   **List and Manage Registered Users' Accounts**
*   **Update/Change Password**

****Customer Site****

*   **Login and Registration**
*   **Dashboard**
*   **Create Quotation Request**
*   **List Tickets**
*   **Create Ticket**
*   **View Ticket Details**
*   **View and Manage Profile**
*   **Update/Change Password**

****Technologies****

Here is the list of Technologies to develop the **Simple Customer Relationship Management (CRM) System**:

*   HTML
*   CSS
*   PHP
*   MySQL Database
*   Bootstrap Framework
*   DataTables
*   JavaScript
*   jQuery Library

The **Simple Customer Relationship Management (CRM) System Project** source code **zip file** is provided on this website and is free to download. Feel Free to download the source code and modify it to meet your own requirements.

****Snapshots********Admin Dashboard****

****Quote Request Details (Admin)****

****Ticket List (Admin)****

****Customer Dashboard****

****Quote Request Form (Customer-Side)****

****Ticket Form (Customer-Side)****

****How to Run?****

****Requirements****

*   **Download** and **Install** any **local web server** such as **XAMPP.**
*   **Download** the provided source code **zip** file. (_download button is located below_)

****System Installation/Setup****

1.  **Open** your **XAMPP Control Panel** and start ****Apache**** and ****MySQL****.
2.  **Extract** the **downloaded source code **zip** file**.
3.  **Copy** the extracted source code folder and **paste** it into the **XAMPP's "htdocs" directory**.
4.  **Browse** the ****PHPMyAdmin**** in a **browser**. i.e. ****http://localhost/phpmyadmin****
5.  **Create** a **new database** named ****scrm\_db****.
6.  **Import** the provided ****SQL**** file. The file is known as ****scrm\_db.sql**** located inside the **database** folder.
7.  **Browse** the **Simple Customer Relationship Management (CRM) System** in a **browser**. i.e. ****http://localhost/php-scrm/****.

****Admin Default Access:****

Username: **admin**  
Password: **admin123**

****DEMO VIDEO****

That's it! I hope this **Simple Customer Relationship Management (CRM) System Project in PHP and MySQL Database** helps you with what you are looking for and that you'll find something useful in the source code file itself.

Explore more on this website for more **Tutorials** and **Free Source Codes**.

****Enjoy :)****

*   5237 views

CVE-2023-24654: Simple Customer Relationship Management (CRM) System using PHP Free Source Code

Ubuntu Security Notice 5885-1 - Ronald Crane discovered integer overflow vulnerabilities in the Apache Portable Runtime that could potentially result in memory corruption. A remote attacker could possibly use these issues to cause a denial of service or execute arbitrary code.

==========================================================================  
Ubuntu Security Notice USN-5885-1  
February 27, 2023

apr vulnerability  
==========================================================================

A security issue affects these releases of Ubuntu and its derivatives:

- Ubuntu 22.10  
- Ubuntu 22.04 LTS

Summary:

APR could possibly be made to crash or run programs if it received  
specially crafted network traffic.

Software Description:  
- apr: Apache Portable Runtime Library

Details:

Ronald Crane discovered integer overflow vulnerabilities in the Apache  
Portable Runtime (APR) that could potentially result in memory corruption.  
A remote attacker could possibly use these issues to cause a denial of  
service or execute arbitary code.

Update instructions:

The problem can be corrected by updating your system to the following  
package versions:

Ubuntu 22.10:  
libapr1 1.7.0-8ubuntu0.22.10.1

Ubuntu 22.04 LTS:  
libapr1 1.7.0-8ubuntu0.22.04.1

In general, a standard system update will make all the necessary changes.

References:  
https://ubuntu.com/security/notices/USN-5885-1  
CVE-2022-24963

Package Information:  
https://launchpad.net/ubuntu/+source/apr/1.7.0-8ubuntu0.22.10.1  
https://launchpad.net/ubuntu/+source/apr/1.7.0-8ubuntu0.22.04.1

Ubuntu Security Notice USN-5885-1

Debian Linux Security Advisory 5364-1 - Ronald Crane discovered that missing input saniting in the apr_base64 functions of apr-util, the Apache Portable Runtime utility library, may result in denial of service or potentially the execution of arbitrary code.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5364-1                   security@debian.orghttps://www.debian.org/security/                     Salvatore BonaccorsoFebruary 26, 2023                     https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : apr-utilCVE ID         : CVE-2022-25147Ronald Crane discovered that missing input saniting in the apr_base64functions of apr-util, the Apache Portable Runtime utility library, mayresult in denial of service or potentially the execution of arbitrarycode.For the stable distribution (bullseye), this problem has been fixed inversion 1.6.1-5+deb11u1.We recommend that you upgrade your apr-util packages.For the detailed security status of apr-util please refer to itssecurity tracker page at:https://security-tracker.debian.org/tracker/apr-utilFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQKTBAEBCgB9FiEERkRAmAjBceBVMd3uBUy48xNDz0QFAmP7XXNfFIAAAAAALgAoaXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDQ2NDQ0MDk4MDhDMTcxRTA1NTMxRERFRTA1NENCOEYzMTM0M0NGNDQACgkQBUy48xNDz0QB3Q/9HyXeMjxWnq4JsTDF+LZvv13WdUVhuaKmhoe7LAg7HLUYy1F49LNQGfBNy2bmg/Ggp/ga+Vb+7F+A2/OpF38AaLaMyREbnaqU2XHM25Zp2LlITjZsf3lI42TwiyiiWjhBFd2cGnLrnGkghz4wBTEdU5OUTvKg5987y0FwuapCs4FoW7xCEzsLNkunpcbwyhh7mljVnXKl2gJ73q81cseGOB0BOyfxK3KMV+9pOhJ12OJsY61BpOspFuzV0yZHyNTQduqy6wWUecRyl7tiOed4CcS5zCLQNBlqoXyvyhg6+rzyQWPWAwyDwP+vR2hDEPt7hH8ejbeloY+Gqp6Fi1gxdOtKphFyGKRe6BuLGyFHK4M1eJUCqHOqQTuFtgTNNRCz8Km5bJGIPo9lkwHfGySSUJ9KEECEoMj6eTvpJUlyt0hPLQsM6vzcu6eTWiJAOQauoprhOK5V4Hh2pF7G0zqPqkKK13962EsbODdkOTHzDA99ocqgYjOzTp9xZM7ivuXTnMexMJJu7eew8VYSKChNZB3BeTKoAkXoRev0kSROr2VznnPjqyIuocEvcypG9k5/6Fpb6VwFtxQuqZRLri0xqqWr2ZTczDTeCC7X/jDdt53zKCEVv7exx/h6LBDOilmr/BZwyciX5y+e6wVEx5PK67LkwGlx+4ZaSqAKDUYdm50=Twof-----END PGP SIGNATURE-----

Debian Security Advisory 5364-1

ZoneMinder is a free, open source Closed-circuit television software application for Linux which supports IP, USB and Analog cameras. Versions prior to 1.36.33 and 1.37.33 are affected by a SQL Injection vulnerability. The (blind) SQL Injection vulnerability is present within the `filter[Query][terms][0][attr]` query string parameter of the `/zm/index.php` endpoint. A user with the View or Edit permissions of Events may execute arbitrary SQL. The resulting impact can include unauthorized data access (and modification), authentication and/or authorization bypass, and remote code execution.

CVE-2023-26034: SQL Injection

The cloud-native application protection platform market is expanding as security teams look to protect their applications and the software supply chain.

As more organizations shift to cloud-native application development to support new business features and digital transformation initiatives, software supply chain issues have become more visible. Because cloud-native development relies so heavily on open source software, organizations have to start thinking about the components that go into these applications.

To build these cloud-native applications, developers have adopted agile application development practices and rapid release cycles, and they rely heavily on open source code and microservices from a widely distributed and often vast community to compose their containers and serverless functions. While the source code may primarily come from an established ecosystem, it is common for some to originate from unknown sources or obsolete projects.

Traditional security approaches aren't designed to handle this new approach to application development, especially for modern cloud compute and serverless architectures. This is the area cloud-native application protection platforms evolved to address. Gartner describes CNAPP as "an integrated set of security and compliance capabilities designed to help secure and protect cloud-native applications across development and production."

According to a recent Frost & Sullivan report, sales of CNAPP topped $1.7 billion in 2021, nearly 49% higher than 2020. Frost & Sullivan projects that CNAPP revenues will grow at a compound annual growth rate of almost 26% from 2021 to 2026. The report's author, industry principal for global cybersecurity Anh Tien Vu, forecasts that by 2026, revenues will exceed $5.4 billion "because of the increasing demand for a unified cloud security platform that strengthens cloud infrastructure security and protects applications and data throughout their life cycle."

**Prevent Problems During Development**

Attackers are increasingly homing in on cloud-native targets to exploit vulnerabilities that enter the software supply chain. Last year, the Log4Shell vulnerability in the widely deployed Log4j Java runtime library illustrated the broad impact such a vulnerability can have on the application ecosystem. Given the widespread distributed deployment of Java applications, organizations had to scramble to find and patch them after Apache Foundation's public disclosure.

"With Log4j, people didn't know whether those libraries were in use or not," says Enterprise Strategy Group senior analyst Melinda Marks. Experts frequently cite Log4j as a wake-up call to CISOs and CIOs that software development lifecycles need to collaborate more closely and shift left.

Marks says CNAPP enables organizations to establish DevSecOps processes in which software developers take the lead in discovering potential flaws in code before deploying application runtimes into production, but it also goes further. "This is important for preventing security issues before you deploy your applications to the cloud, because once you deploy them, they're available for the hackers," Marks says.

**Monitor Runtime to Identify Priorities**

CNAPPs consolidate siloed capabilities, including the scanning of development artifacts such as containers and infrastructure as code (IaC), cloud security posture management (CSPM), cloud infrastructure management (CIEM), and runtime cloud workload protection platforms. Besides providing a more unified approach and better visibility of the risk of cloud-native computing environments, CNAPP provides common controls to mitigate vulnerabilities.

Notably, CNAPP also facilitates collaboration among application development, cybersecurity, and IT infrastructure teams, paving the way for detecting and mitigating vulnerabilities before applications are deployed into production. Security vendors such as Check Point and Palo Alto Networks are adding CNAPP capabilities to their security platforms.

Marks warns that there's a misconception about shifting security left: that it's all about moving security up front in the software development and build cycles. "There's also the need to tie in the runtime monitoring and have that context for developer workflows, so they're not wasting time on fixing things that have no impact on how the application is actually going to run in the cloud," she says.

Tackling Software Supply Chain Issues With CNAPP

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

Jessica Haworth 24 February 2023 at 13:09 UTC  
Updated: 24 February 2023 at 13:15 UTC

Your fortnightly rundown of AppSec vulnerabilities, new hacking techniques, and other cybersecurity news

  

Twitter faced further criticism this week when Elon Musk’s social networking platform announced SMS-based 2FA will only be available to paying customers going forward.

The social media site historically enabled two-factor authentication (2FA) to all users, providing they connected their mobile phone number to their account.

This week, however, users were warned that this security option would no longer be available to users who did not pay for verification.

Of course, this sparked huge backlash online, particularly among the majority of those with non-paid accounts.

It’s worth noting, though, that users can still use 2FA with third-party authentication apps such as Google Authenticate.

Want the latest web security news straight to your inbox? Sign up to our newsletter here

Elsewhere, web hosting provider GoDaddy announced it had fallen victim to a cyber-attack… and this was part of a campaign lasting almost three years.

The company announced in a statement that it had evidence of an intrusion that took place back in December 2022, when “a small number of customers” complained about their websites being intermittently redirected.

In a filing to the US Securities and Exchange Commission (PDF), the American domain registrar also divulged that it had evidence this attack was linked to an earlier incident in March 2020, when an attacker “compromised the hosting login credentials of approximately 28,000 hosting customers to their hosting accounts as well as the login credentials of a small number of our personnel”.

GoDaddy says it believes these attacks, together with a 2021 compromise of its hosted WordPress service, “are part of a multi-year campaign by a sophisticated threat actor group”.

BACKGROUND Truffle Security relaunches XSS Hunter tool with new features

Finally, the maintainers of newly resurfaced tool XSS Hunter announced the introduction of optional end-to-end (e2e) encryption to its fork after a backlash from privacy-conscious users.

Truffle Security, which launched a new fork of the open source utility after its deprecation by original creator Matthew Bryant, were criticized earlier this month for inspecting potentially sensitive data generated by users after they shared anonymized statistics about the vulnerabilities unearthed.

As reported by The Daily Swig, users have now been reassured that e2e encryption has been added to the fork in a statement given by Truffle Security’s founder.

We also recently reported that Belgium has become the first European country to adopt a national, comprehensive safe harbor framework for ethical hackers, and how Frans Rosén topped PortSwigger’s top 10 web hacking techniques of 2022 with his research ‘Account hijacking using dirty dancing in sign-in OAuth-flows’.

You can catch up with the full range of our recent news coverage by visiting The Daily Swig’s homepage.

Here are some more web security stories and other cybersecurity news that caught our attention in the last fortnight:

**Web vulnerabilities**

*   FortiNAC / Critical / Unauthenticated RCE / An external control of file name or path in certain Fortinet FortiNAC versions allow attackers to execute unauthorized code / Patched and disclosed February 16
*   Node.js / Medium / CLRF injection / The fetch API in Node.js did not prevent CRLF injection in the host header potentially allowing attacks such as HTTP response splitting and HTTP header injection / Patched and disclosed February 16
*   Node.js / High / Permissions policies bypass / Non-authorized modules potentially accessible via / Patched and disclosed February 16
*   Kardex MLOG / Severity TBC / RCE / SSTI to RCE due to sanitization issue on industrial web interface / Patched January 24, disclosed February 7
*   Apache Kerby / LDAP injection / Vulnerability exists in / Patched and disclosed February 20

**Research and attack techniques**

*   PortSwigger’s\* Gareth Heyes demonstrated how to detect server-side prototype pollution without causing denial-of-service at AppSec Dublin conference earlier this month.
*   Researchers from CyberXplore detailed how they hacked GitHub for a whole month, resulting in the finding of six vulnerabilities, which are detailed in this blog post.
*   Software engineer Matt Frisbie built a purposely-malicious Google Chrome extension that steals as much data as possible to demonstrate what users could expose themselves to if they aren’t careful with what they install.

A security researcher has praised the merits of hacking on Apple’s bug bounty program

**Bug bounty/vulnerability disclosure**

*   A write-up from security researcher Omar Hashem, who fully took over a HubSpot account, details his failures on the path to exploitation. Research is inherently about trial and error, yet few write ups shared online talk about the things that didn’t work.
*   A researcher calling themselves ‘infiltrateops’ shared details on how they were awarded a decent payout from Apple and lauded the response from its security team.
*   Google released a review of all of the bugs found in its vulnerability reward program in 2022, revealing it fixed more than 2,900 issues in that year alone.

**New open source security tools**

*   Legitify, a tool for detecting and remediating security issues across GitHub and GitLab assets, added support for GPT-based misconfiguration scanning.
*   GuardDog, a tool used to identify malicious Python packages using Semgrep and package metadata analysis, has been updated to provide npm support, new heuristics, and easier CI integration.

\*PortSwigger is the parent company of The Daily Swig.

PREVIOUS EDITION Deserialized web security roundup: KeePass dismisses ‘vulnerability’ report, OpenSSL gets patched, and Reddit admits phishing hack

Deserialized web security roundup: Twitter 2FA backlash, GoDaddy suffers years-long attack campaign, and XSS Hunter adds e2e encryption

Generation of Error Message Containing Sensitive Information vulnerability in the Apache Airflow AWS Provider. This issue affects Apache Airflow AWS Provider versions before 7.2.1.

**Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information**

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-w695-p3j5-hrj9: Apache Airflow AWS Provider Generates Error Message Containing Sensitive Information

Improper Input Validation vulnerability in the Apache Airflow Hive Provider. This issue affects Apache Airflow Hive Provider versions before 5.1.3.

**Apache Airflow Hive Provider Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

GHSA-9mwf-mw74-9cv5: Apache Airflow Hive Provider Improper Input Validation vulnerability

Improper Input Validation vulnerability in the Apache Airflow Google Provider. This issue affects Apache Airflow Google Provider versions before 8.10.0.

**Apache Airflow Google Provider Improper Input Validation vulnerability**

Moderate severity GitHub Reviewed Published Feb 24, 2023 to the GitHub Advisory Database • Updated Feb 24, 2023

Tag

#apache